Certificates-based wifi auth
-
hi,
any linkt to an excellent how tothanks
-
CA package? You mean the built in pfsense CA?
So your wanting to auth your wifi with eap-tls? I have this running currently, guess I could throw together a how to. I ran into one little issue with IOS devices like ipads and iphones and the .p12 package for the ca cert and user cert and key not having a password. But easy enough to work around with openssl to create a .p12 and put a password on.
I have windows 7 machines, android nexus phone and iphones and ipads all using eap-tls to auth to my wifi. Keep in mind that not all devices support wpa/wpa2 enterprise and you will still need to maintain a psk wifi ssid for these types of devices.
John, this would also help me greatly. I've tried several things and I can't seem to get EAP-TLS to work without Windows prompting for a username. I followed the directions here under EAP-TLS: https://doc.pfsense.org/index.php/Using_EAP_and_PEAP_with_FreeRADIUS
:) Andrew
-
what flavor of windows are you using? Did you get any other devices work with it? I have couple iphones, ipad, nexus phone 3 laptops running windows 7..
-
Windows 7 Enterprise x64. I haven't tried any other OS as I don't have any handy here. I do have an Android phone but wasn't sure about how to install certs.
Your screenshots look exactly like mine. Freerad-ca is the CA .crt you created in the Certificates section of pfSense?
I created a CA there, in pfSense Cert Manager, as well as Client certificate (exported as .p12) and then imported both of them here:
Client cert.p12 –-> Certificates - Current User > Personal > Certificates
CA cert.crt ---> Certificates - Current User > Trusted Root Certification Authorities > CertificatesI also tried adding to Local Computer cert stores as well, which didn't make a difference.
When you connect to your wireless, does it just... work? Or does it prompt you to select a certificate or to enter credentials? IF I select "use a different username for the connection" then I get the same prompt for certificate as in my screenshot, but with the option to type a username (no password). The certificates I can select from are either the one I created in pfSense (which I assume is what I want!) or my domain user certificate. The fact there is a checkbox for "use a different username" makes me feel like it's trying to authenticate with certificate AND credentials.
If I click through the certificate selection, it thinks about it for about 10 seconds and then prompts again with the same cert selection dialog.
Thanks for your help :)
Andrew
-
When I connect it just works.. I don't get prompted for anything.
Did you create a user in freeradius? With eap-tls you do not need a user account. Did you disable the other weak eap and set tls as default?
-
Did you create a user in freeradius? With eap-tls you do not need a user account. Did you disable the other weak eap and set tls as default?
I did, just as a test to see if it was working via EAP-PEAP. (which it was). I then deleted the user account, as I don't want any user/pass authentication, only certificate.
Here are my settings in the EAP tab on freeradius. (EAP settings.jpg)
Every time I connect, I just get prompted with this: (Certificate.jpg). Pressing OK makes the system think for a moment, then re-prompt me with the same dialog. If I remove the Communications Server (client auth - used for other things) certificate from Current User > Personal > Certificates, so I only have the 1 certificate Windows can choose from, then Windows doesn't prompt me with the dialog. It just errors out saying it cannot connect to my AP.
Viewing my AP's log, I see "Wireless system with Mac address <my laptop's="" wireless="" mac="">deauthenticate reason 1"</my>… which according to http://www.cisco.com/c/en/us/td/docs/wireless/controller/3-2/configuration/guide/ccfig32/c32err.html means "1 - unspecifiedReason - Client associated but no longer authorized."
-
Figured it out!!!! 8) 8) 8) 8)
The problem was the user I created in Freeradius had a different name than the user certificate. I didn't think setting up a user was a required setting, since I didn't want any username/password auth. But it makes sense to me now.
I created a user with a blank password in Freeradius > Users and gave it the same name as my user cert. Immediately worked ;D
Thanks for all your help John.
Andrew
-
You probably want those users to have a long, random password, not blank.
-
You probably want those users to have a long, random password, not blank.
Would it still allow the certificate only (TLS) authentication that way? Or would it prompt for a username/password when connecting?
-
Try it and see.
-
No problems!
I added a complex password, and it doesn't seem to care. Awesome ;D
-
"I didn't think setting up a user was a required setting,"
its not - but if you have one that matches you could have problems. I don't have any user accounts, but 7 different devices that auth with eap-tls..
-
CA package? You mean the built in pfsense CA?
So your wanting to auth your wifi with eap-tls? I have this running currently, guess I could throw together a how to. I ran into one little issue with IOS devices like ipads and iphones and the .p12 package for the ca cert and user cert and key not having a password. But easy enough to work around with openssl to create a .p12 and put a password on.
I have windows 7 machines, android nexus phone and iphones and ipads all using eap-tls to auth to my wifi. Keep in mind that not all devices support wpa/wpa2 enterprise and you will still need to maintain a psk wifi ssid for these types of devices.
John, if you could put together a how-to what would be greatly appreciated. I have been trying to get the same setup as the OP.
